sidenote: this virus actually scares me, and it sounds like it actually scares most people who work in IT. This is the shittiest thing anybody has ever seen, it sounds like.
If the "1002.exe" sample on Reddit is accurate the installer is unsigned, so forbidding unsigned binaries should be sufficient. The number of legitimate unsigned Windows binaries is small enough that you should be able to whitelist them by hand.
It actually made my skin crawl reading about it. Never had that reaction to such a story before. Interesting...
Edit: It's the BTC aspect that's worrisome. Ransomeware is nothing new -- AIDS Information Trojan did it in 1989, but the (potentially) safe method of payments in crypto currency seem to be a new factor that will attract much more innovation in these type of attacks.
This type of viruses are nothing new [0]. The only new thing in this case is that it demands BitCoins instead of an SMS to a premium number or something else.
Unfortunately lots of stuff runs under there including, but not limited to:
GitHub for Windows and dozens of apps it installs in there
F.lux
Anything installed with ClickOnce
Chrome
GMVault
Xamarin's Android Support
Markdownpad
SkyDrive
Join.me
Assuming that everything in there is a virus is too much, I think.
Doesn't Google Chrome run under %AppData% in a default (non-MSI) install? (This is how it's able to silently update itself, even when run as a non-administrator.)
I tried implementing this solution and it has a lot of difficult side effects. Shortcuts on the task bar could not run (with the exception of Chrome oddly enough). If you select run in IE it fails because it saves to temp and some installers failed as well, again because of the use of temp.
Unless the end user is very saavy or has an onsite IT this seems that the better solution is rotating backups.
Alternating days to external hard drives that are then disconnected is the best mitigation.
And having already had one client effected by this is does scare me. Interesting enough he paid and had his files decrypted in about 48 hours.
I tried implementing this solution and it has a lot of difficult side effects. Shortcuts on the task bar could not run (with the exception of Chrome oddly enough). If you select run in IE it fails because it saves to temp and some installers failed as well, again because of the use of temp.
Unless the end user is very saavy or has an onsite IT this seems that the better solution is rotating backups.
Alternating days to external hard drives that are then disconnected is the best mitigation.
I was hit by this, or a variant, at my place of business. Hundreds of thousands of files on our shared drive were overwritten, about 2 TB worth of files. Office documents, PDFs, and Adobe documents like PSD and INDD were encrypted. JPEGs were altered but still viewable. All files increased in size by a few hundred bytes.
Pull-only backups were the savior here, although because we didn't notice until the next day, the pulled backups on that system were also overwritten with encrypted/corrupt files. Luckily we had VSS versioning on the pull-only backup location. There was a close call in that the 2 TB or so of "new" data ended up pushing VSS over quota and we almost lost our good versions of the files that way. If not for the VSS versions, we would've had to resort to cold backups which would've been a bit older. As it stood, no file recovered was more than a few hours old.
Auditing on the file share indicates which workstation was infected. Pertaining to that: it surprises me that in 2013, a default install of Windows will not log any useful information about shared folders by default. You must enable object auditing in Group Policy and specifically declare which users or groups are subject to said auditing on a share-by-share basis. In a world without logrotate, I suppose a sensible default is to just let a bunch of shit happen without recording it.
What gets me wound up most of all is the amount of engineering involved for an average home user to protect themselves. I thought a Mac with Time Machine was enough, but a similar virus would easily corrupt those backups if they were available to it over a mapped drive.
It is the goddamn 21st century, and users are still losing work by overwriting documents by accident, or opening a document as an e-mail attachment and not being able to find the actual file they edited. Should people really need an IT guy with ten years of experience to be protected from simple mistakes? Google has made progress on that front with the Chromebook, I suppose.
Something like CrashPlan provides good protection against this sort of thing for home users. It includes versioned, off-site backups -- either on their servers for around $6 a month, or on a "friend's computer" for free. Either way, the backups are saved via crashplan, not with direct drive access, so it should be safe against this kind of thing.
> opening a document as an e-mail attachment and not being able to find the actual file they edited
I'm so sick of this. The "open/save" dialog is in sore need of being revamped. There's really no such thing as "open" anyway -- it's really "save to some obscure profile temp directory and then open". Try explaining "you can't open a file that's not first saved to disk" to a user, though.
I really don't think we should try to dumb down UX for the benefit of less experienced users. You run the risk of creating a false understanding of how a computer works which can cause harm down the line, as well as frustrating and confusing more advanced users who do know what happens when you save a word document. Besides, as the user population ages it's becoming less of a problem.
I think the interesting thing here is the shift from the target - the "best" target used to be compromising the OS, so OS's made moves to protect themselves from programs running as unprivileged users. Now, it's trivial to wipe an OS and restore from a backup. The real value is the things people store on a computer, which are usually going to be accessible via a user account.
One trivial solution would be OS level automatic versioning of files (ala Dropbox or Sparkleshare) - the original files would be written to location that is read only to the user and only accessible via the OS, hence, backups could always be restored from it, but never destroyed without admin rights.
Of course, with people having great internet and whatnot, an automatic cloud based solution would be much more likely and useful.
I think with Windows 8.1 and onwards, Microsoft are automatically doing this by setting up the "Documents" type folders in SkyDrive - a great think moving forward.
Backups are, obviously, a much better solution but require extra storage and usually cost money.
So there might be a niche for a freeware product that runs as an admin that automatically versions files - perhaps even as simple as having an admin-owned .git repo for the Documents folder.
The worrying thing about this attack is that targeting user data is trivial on all OSs, because of the way we think about privileges - it could be done to us Linux users through something nasty in our shell rc using GPG or whatever. There is no need to compromise anything.
I think the interesting thing here is the shift from the target - the "best" target used to be compromising the OS, so OS's made moves to protect themselves from programs running as unprivileged users. Now, it's trivial to wipe an OS and restore from a backup. The real value is the things people store on a computer, which are usually going to be accessible via a user account.
You make an excellent point, but there is a second and perhaps even more sinister side to it. Encrypting your data and holding it hostage is one thing, but even if you have indestructible backups, there are probably still many sensitive pieces of information that can be acquired by a blackmailer with only user-level privileges: bank details, company trade secrets, personal mail/photos/videos, etc.
Having a back-up of these is important, but probably so is ensuring that they aren't distributed to people they shouldn't be. This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.
> Backups are, obviously, a much better solution but require extra storage and usually cost money.
And the virus will encrypt anything writable, so the backup needs to be "pull", if the infected machine is the one doing backups and has write access to a non-cold-storage backup location it will may encrypt the backup itself.
The only virus I ever got was the SevenDust 666 virus on Mac OS 8. An infected machine would have a "666" extension that couldn't be deleted (it would instantly replace itself) and then start losing files. So losing files as a target has been around for many years.
The interesting change to me is that now viruses have been effectively monetized.
> the original files would be written to location that is read only to the user and only accessible via the OS
A versioning filesystem looks much cleaner than a different location. Maybe we should start using those again. (Is there any candidate for ext5 already?)
And yes, partitioning the data permissions for the same user is a much needed change. Nobody got a solution for that yet, and there are lots of people trying. Apple, for example, is just giving up on iOS; Google has a subpar solution on Android that does not actually work on practice (the cyanomod people did improved it a bit) but is the closest we have from something viable.
I get annoyed when people are warned not to open some attachment. The real problem here is that in 2013 we're still using the flawed language of "opening attachments" -- as if running a native executable with full permissions is an action that belongs in the same category as viewing an image, reading a text file, or listening to music.
Well, it doesn't. This is a problem that should have been solved at the level of OS permissions/UI long ago. Why does a modern OS include UI functionality allowing a standard user to run an uninstalled executable in a non-sandboxed environment? There's no good reason for it.
In some cases the problem been solved (e.g., restrictions that allow only signed apps to be executed). But I guess none of those cases include Windows, its standard UI, and popular e-mail programs. :-(
We only use that language because it's an order of magnitude easier to explain to novice computer users, and because as you stated, the problem still hasn't been fixed at the OS permissions / UI level.
A modern OS lets us do that because lots of users are the sole user of their PC and do not understand the idea of permissions.
In a corporate environment I'd expect crucial data to be on the network drive and snapshotted every few hours. We run ZFS on our network and all the secretaries have to do their doc/excel work on the drive. Nowadays that everybody has a Gigabit Ethernet connection read/writes are extremely quick.
Use ZFS and make read only snapshots that are only accessible to the sysadmins. You'll solve many problems that way. We do snapshots at 6am,noon and 6pm and then keep the 6pm one for 7, 14 and 30 days.
A company I work with was hit when the employee opened a phishing email supposedly from another employee in the same company. It hit about 50 gb of data on the shared drive. We had Crashplan and restored from a few days previous. I then turned on DKIM and enabled quarantining non DKIM emails via DMARC.
"This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them."
I haven't got a Windows box handy to try this on but I assume there is at the very least an extra warning dialog when opening an exe - even a zipped exe?
Not that that mitigates this at all. The inability to distinguish executables from data files - and although that doesn't apply in this case - the ability of data files to hide executable payloads either via design or error - is a major and currently uncorrected flaw in the system.
Ah, I guess it is time to send the annual email to mom, dad, and the in-laws to be very wary of downloading anything or clicking on links in suspicious emails.
I find this is good insurance against the inevitable phone calls I receive as the only computer-literate member of the family: "Hey Cory, all my documents disappeared and I can't get them back. Do I have a virus?"
I'm sorry, but if a firm doesn't compartimentalise access and a single infected workstation can bring down everything, then they deserve what they get.
Hadn't been ransomware it could have very well been a disgruntled employee, to the same effect.
While you're technically right - we are responsible for our security, and we should lock down our networks just like we lock our front doors - this is basically blaming the victim.
Have you fully secured your home and office against arson attacks? No? Don't even know how to do so? Didn't think so. Does that mean you deserve what you get if you end up bankrupt in the event of such an attack?
I've been trying to raise awareness in my social medias, since my family, friends and co-workers might not spend time on HackerNews.
If you want, copy my message and share with your family, friends and co-workers:
"Hi folks,
There's a new virus out there that I want to raise awareness of, it's called CryptoLocker. Basically what this virus does is that it tracks all your files - hard drives, flash drives, usb sticks, network drives/shares - then it encrypts the files it finds.
The only way to unlock the files again is to pay $300 to get the key used for the encryption. The encryption used is RSA with a 2048 bit key which makes it extremely hard to crack, I'd say impossible with the time span and todays computers.
You have 72 hours before they trash the key making it impossible for you to get your data back.
This can be extremely devastating if you are running a business and all your files are gone. If you sync your files to the cloud, you're still not safe, it syncs the encrypted files as well. If you are able to restore to previous versions of your files in the cloud - great.
Let your friends, family and co-workers know about this.
Here are some simple ways to avoid getting a virus in general:
1. Don't open e-mails from people you don't know
2. Don't open attachments in e-mails unless you were waiting for the attachment
3. Don't go to websites/click links that you don't fully trust
4. Don't download and execute files that you don't fully trust
It might seem obvious to the most of us to don't do the above, but to a lot of friends, family and co-workers it might not be.
Imagine waking up and having to pay $300 to get your data back. However, the police tracked down one of the servers that serves the keys and shut them down which means the keys were not delivered and the data was lost, this means even if you do pay the $300, there is no guarantee that you will get the data back.
Raise awareness of this and avoid having your files lost."
Central to the plot in the book Reamde but these guys don't offer a 'pay in WoW gold' choice.
Given the cost of computers these days, at least in business a separate 'browsing' machine and 'business' machine seems to be the best solution. I wonder if you could provide wireless for employees to bring their own laptops which had no 'office' connectivity (but internet connectivity) and machines that were hard wired and MAC filtered to the 'business' network.
Since the Bitcoin blockchain is public, couldn't you follow the money? Make a list of all wallets that accepted these funds initially, and then do graph analysis, either to see where the money went or provide others with a tool to avoid transactions with those wallets?
This is one of the scariest forms of attack on computing since viruses became prevalent in the nineties. The fact they were up until recently relatively undetectable adds another eerie dynamic to the situation. It highlights the aged old problem of people not pro-actively backing up their data offline until it's too late. Go out and buy a couple of cheap 1tb external drives and back your data up now and keep doing it, there are even tools and drives that handle this automatically for you.
While ransomware isn't anything new, the fact that the authors of such software are using currencies like Bitcoin make it that extra bit harder to track and stop these people from extorting data. I sense a new wave of ransomware is about to hit the scene now that Ars have revealed specifics about potentially making millions a year from such a racket. It's hard informing people about these things without encouraging others to go and try writing their own ransomware and expect Bitcoin as payment.
[+] [-] blhack|12 years ago|reply
sidenote: this virus actually scares me, and it sounds like it actually scares most people who work in IT. This is the shittiest thing anybody has ever seen, it sounds like.
[+] [-] bcoates|12 years ago|reply
If the "1002.exe" sample on Reddit is accurate the installer is unsigned, so forbidding unsigned binaries should be sufficient. The number of legitimate unsigned Windows binaries is small enough that you should be able to whitelist them by hand.
[+] [-] mcphilip|12 years ago|reply
Edit: It's the BTC aspect that's worrisome. Ransomeware is nothing new -- AIDS Information Trojan did it in 1989, but the (potentially) safe method of payments in crypto currency seem to be a new factor that will attract much more innovation in these type of attacks.
[+] [-] conductor|12 years ago|reply
[0] - https://www.securelist.com/en/descriptions/old313444
[+] [-] shanselman|12 years ago|reply
GitHub for Windows and dozens of apps it installs in there F.lux Anything installed with ClickOnce Chrome GMVault Xamarin's Android Support Markdownpad SkyDrive Join.me
Assuming that everything in there is a virus is too much, I think.
[+] [-] crb|12 years ago|reply
[+] [-] fekberg|12 years ago|reply
[+] [-] sfont|12 years ago|reply
[+] [-] sfont|12 years ago|reply
[+] [-] MiguelHudnandez|12 years ago|reply
Pull-only backups were the savior here, although because we didn't notice until the next day, the pulled backups on that system were also overwritten with encrypted/corrupt files. Luckily we had VSS versioning on the pull-only backup location. There was a close call in that the 2 TB or so of "new" data ended up pushing VSS over quota and we almost lost our good versions of the files that way. If not for the VSS versions, we would've had to resort to cold backups which would've been a bit older. As it stood, no file recovered was more than a few hours old.
Auditing on the file share indicates which workstation was infected. Pertaining to that: it surprises me that in 2013, a default install of Windows will not log any useful information about shared folders by default. You must enable object auditing in Group Policy and specifically declare which users or groups are subject to said auditing on a share-by-share basis. In a world without logrotate, I suppose a sensible default is to just let a bunch of shit happen without recording it.
What gets me wound up most of all is the amount of engineering involved for an average home user to protect themselves. I thought a Mac with Time Machine was enough, but a similar virus would easily corrupt those backups if they were available to it over a mapped drive.
It is the goddamn 21st century, and users are still losing work by overwriting documents by accident, or opening a document as an e-mail attachment and not being able to find the actual file they edited. Should people really need an IT guy with ten years of experience to be protected from simple mistakes? Google has made progress on that front with the Chromebook, I suppose.
[+] [-] tempestn|12 years ago|reply
No affiliation, just a user.
[+] [-] Wingman4l7|12 years ago|reply
I'm so sick of this. The "open/save" dialog is in sore need of being revamped. There's really no such thing as "open" anyway -- it's really "save to some obscure profile temp directory and then open". Try explaining "you can't open a file that's not first saved to disk" to a user, though.
[+] [-] keyme|12 years ago|reply
[+] [-] anExcitedBeast|12 years ago|reply
[+] [-] driverdan|12 years ago|reply
[+] [-] antihero|12 years ago|reply
One trivial solution would be OS level automatic versioning of files (ala Dropbox or Sparkleshare) - the original files would be written to location that is read only to the user and only accessible via the OS, hence, backups could always be restored from it, but never destroyed without admin rights.
Of course, with people having great internet and whatnot, an automatic cloud based solution would be much more likely and useful.
I think with Windows 8.1 and onwards, Microsoft are automatically doing this by setting up the "Documents" type folders in SkyDrive - a great think moving forward.
Backups are, obviously, a much better solution but require extra storage and usually cost money.
So there might be a niche for a freeware product that runs as an admin that automatically versions files - perhaps even as simple as having an admin-owned .git repo for the Documents folder.
The worrying thing about this attack is that targeting user data is trivial on all OSs, because of the way we think about privileges - it could be done to us Linux users through something nasty in our shell rc using GPG or whatever. There is no need to compromise anything.
[+] [-] Silhouette|12 years ago|reply
You make an excellent point, but there is a second and perhaps even more sinister side to it. Encrypting your data and holding it hostage is one thing, but even if you have indestructible backups, there are probably still many sensitive pieces of information that can be acquired by a blackmailer with only user-level privileges: bank details, company trade secrets, personal mail/photos/videos, etc.
Having a back-up of these is important, but probably so is ensuring that they aren't distributed to people they shouldn't be. This requires a very different model of access control and user/application privileges, and unfortunately I don't think any mainstream OS is even close to solving this one yet.
[+] [-] masklinn|12 years ago|reply
And the virus will encrypt anything writable, so the backup needs to be "pull", if the infected machine is the one doing backups and has write access to a non-cold-storage backup location it will may encrypt the backup itself.
[+] [-] mistercow|12 years ago|reply
The interesting change to me is that now viruses have been effectively monetized.
[+] [-] marcosdumay|12 years ago|reply
A versioning filesystem looks much cleaner than a different location. Maybe we should start using those again. (Is there any candidate for ext5 already?)
And yes, partitioning the data permissions for the same user is a much needed change. Nobody got a solution for that yet, and there are lots of people trying. Apple, for example, is just giving up on iOS; Google has a subpar solution on Android that does not actually work on practice (the cyanomod people did improved it a bit) but is the closest we have from something viable.
[+] [-] jafaku|12 years ago|reply
[+] [-] ggchappell|12 years ago|reply
Well, it doesn't. This is a problem that should have been solved at the level of OS permissions/UI long ago. Why does a modern OS include UI functionality allowing a standard user to run an uninstalled executable in a non-sandboxed environment? There's no good reason for it.
In some cases the problem been solved (e.g., restrictions that allow only signed apps to be executed). But I guess none of those cases include Windows, its standard UI, and popular e-mail programs. :-(
[+] [-] Wingman4l7|12 years ago|reply
A modern OS lets us do that because lots of users are the sole user of their PC and do not understand the idea of permissions.
[+] [-] kuschku|12 years ago|reply
On Linux there is a specific flag that has to be set and is not set per default to make a file executable.
So if you run something, you know that you are running it as a program and not opening it as data.
Windows on the other hand marks everything as executable which begins with MZ and whichs filename ends in .exe or .com
[+] [-] mbesto|12 years ago|reply
[+] [-] susi22|12 years ago|reply
Use ZFS and make read only snapshots that are only accessible to the sysadmins. You'll solve many problems that way. We do snapshots at 6am,noon and 6pm and then keep the 6pm one for 7, 14 and 30 days.
[+] [-] Fuzzwah|12 years ago|reply
https://www.goodreads.com/book/show/10552338-reamde
[+] [-] eli|12 years ago|reply
[+] [-] Uhhrrr|12 years ago|reply
[+] [-] amalag|12 years ago|reply
[+] [-] sillysaurus2|12 years ago|reply
Translation for techies who aren't familiar with email's many acronyms?
[+] [-] driverdan|12 years ago|reply
[+] [-] andybak|12 years ago|reply
"This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them."
I haven't got a Windows box handy to try this on but I assume there is at the very least an extra warning dialog when opening an exe - even a zipped exe?
Not that that mitigates this at all. The inability to distinguish executables from data files - and although that doesn't apply in this case - the ability of data files to hide executable payloads either via design or error - is a major and currently uncorrected flaw in the system.
[+] [-] pbhjpbhj|12 years ago|reply
[+] [-] coryfklein|12 years ago|reply
I find this is good insurance against the inevitable phone calls I receive as the only computer-literate member of the family: "Hey Cory, all my documents disappeared and I can't get them back. Do I have a virus?"
[+] [-] mariuolo|12 years ago|reply
Hadn't been ransomware it could have very well been a disgruntled employee, to the same effect.
[+] [-] pavel_lishin|12 years ago|reply
[+] [-] sillysaurus2|12 years ago|reply
[+] [-] emillerm|12 years ago|reply
[+] [-] rwallace|12 years ago|reply
[+] [-] fekberg|12 years ago|reply
If you want, copy my message and share with your family, friends and co-workers:
"Hi folks,
There's a new virus out there that I want to raise awareness of, it's called CryptoLocker. Basically what this virus does is that it tracks all your files - hard drives, flash drives, usb sticks, network drives/shares - then it encrypts the files it finds.
The only way to unlock the files again is to pay $300 to get the key used for the encryption. The encryption used is RSA with a 2048 bit key which makes it extremely hard to crack, I'd say impossible with the time span and todays computers.
You have 72 hours before they trash the key making it impossible for you to get your data back.
This can be extremely devastating if you are running a business and all your files are gone. If you sync your files to the cloud, you're still not safe, it syncs the encrypted files as well. If you are able to restore to previous versions of your files in the cloud - great.
Let your friends, family and co-workers know about this.
Here are some simple ways to avoid getting a virus in general:
1. Don't open e-mails from people you don't know
2. Don't open attachments in e-mails unless you were waiting for the attachment
3. Don't go to websites/click links that you don't fully trust
4. Don't download and execute files that you don't fully trust
It might seem obvious to the most of us to don't do the above, but to a lot of friends, family and co-workers it might not be.
Imagine waking up and having to pay $300 to get your data back. However, the police tracked down one of the servers that serves the keys and shut them down which means the keys were not delivered and the data was lost, this means even if you do pay the $300, there is no guarantee that you will get the data back.
Raise awareness of this and avoid having your files lost."
[+] [-] ChuckMcM|12 years ago|reply
Given the cost of computers these days, at least in business a separate 'browsing' machine and 'business' machine seems to be the best solution. I wonder if you could provide wireless for employees to bring their own laptops which had no 'office' connectivity (but internet connectivity) and machines that were hard wired and MAC filtered to the 'business' network.
[+] [-] alec|12 years ago|reply
[+] [-] ryan-c|12 years ago|reply
[+] [-] PilateDeGuerre|12 years ago|reply
[+] [-] gwern|12 years ago|reply
[+] [-] scotty79|12 years ago|reply
[+] [-] DigitalSea|12 years ago|reply
While ransomware isn't anything new, the fact that the authors of such software are using currencies like Bitcoin make it that extra bit harder to track and stop these people from extorting data. I sense a new wave of ransomware is about to hit the scene now that Ars have revealed specifics about potentially making millions a year from such a racket. It's hard informing people about these things without encouraging others to go and try writing their own ransomware and expect Bitcoin as payment.
This really worries me.
[+] [-] pkinnaird|12 years ago|reply
http://blog.kinnaird.us/the-coming-age-of-ransomware-cloud-s...
[+] [-] grecy|12 years ago|reply
1. Your machine is infected, and it encrypts everything it can.
2. The 72 hour countdown begins, and during that time your machine has been re-purposed to crunch BitCoins.
3. All you have to do is wait 72 hours, and everything will un-encrypt and uninstall, leaving you perfectly fine.
Creators profit by having millions of machines crunching BitCoins in their name.